Merge pull request #1379 from orangetw/master

enhanced path validation in Windows
sinatra · Feb 11, 2018 · 6bcc6c3 · 6bcc6c3
2 parents d661739 + ba7af51
commit 6bcc6c3
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/rack-protection/lib/rack/protection/path_traversal.rb b/rack-protection/lib/rack/protection/path_traversal.rb
@@ -24,14 +24,17 @@ def cleanup(path)
           encoding = path.encoding
           dot   = '.'.encode(encoding)
           slash = '/'.encode(encoding)
+          backslash = '\\'.encode(encoding)
         else
           # Ruby 1.8
           dot   = '.'
           slash = '/'
+          backslash = '\\'
         end
 
         parts     = []
-        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash)
+        unescaped = path.gsub(/%2e/i, dot).gsub(/%2f/i, slash).gsub(/%5c/i, backslash)
+        unescaped = unescaped.gsub(backslash, slash)
 
         unescaped.split(slash).each do |part|
           next if part.empty? or part == dot